I'll be curious to see what actually gets filed. I could see a reasonable claim against crowdstrike, but going after Microsoft seems an uphill battle given the antitrust scrutiny that pushed...
I'll be curious to see what actually gets filed. I could see a reasonable claim against crowdstrike, but going after Microsoft seems an uphill battle given the antitrust scrutiny that pushed Microsoft to open up (keep open) kernal access to security software.
A similar situation I remember was when Aruba pushed an update intentionally bypassing their own internal QA process and completely bricked campus network WAN for a large number of orgs for months before they fully resolved it. That was settled out of court but I remember meeting with the CEO on the apology tour. Satisfying the necessary legal hurdles to show sufficient negligence will, I think, be the hardest part. If they can show that, the damages seem easy to prove.
Yeah. As i've said I think there's 100% a case, but throwing MS in the pile just reeks of some CEO out for blood not listening to their lawyers or tech resources.
Yeah. As i've said I think there's 100% a case, but throwing MS in the pile just reeks of some CEO out for blood not listening to their lawyers or tech resources.
tbf the actual statement in the article is very cautioned Didn't even say that they will sue anyone, just "look into". Which means practically nothing. And that's the only line about the subject...
tbf the actual statement in the article is very cautioned
Moving forward, Bastian said that the company will look into suing Crowdstrike and Microsoft for the error.
Didn't even say that they will sue anyone, just "look into". Which means practically nothing. And that's the only line about the subject in the entire article.
The headline is about as long as the content it references.
What does the EU have to do with this? I never mentioned the EU. Microsoft announced years ago plans to close access to the kernal, possibly in Windows XP or Vista, I don't recall, and legal...
What does the EU have to do with this? I never mentioned the EU. Microsoft announced years ago plans to close access to the kernal, possibly in Windows XP or Vista, I don't recall, and legal threats from security companies and US antitrust scrutiny caused them to change course.
Microsoft was explicitly forbidden from closing access to the kernel by EU antitrust authorities, and they've explicitly blamed this antitrust action in statements following up the CrowdStrike...
Microsoft was explicitly forbidden from closing access to the kernel by EU antitrust authorities, and they've explicitly blamed this antitrust action in statements following up the CrowdStrike incident.
But I mean, are they wrong? I'm not siding with Microsoft here, I don't think any manufacturer has the right to keep users from full control of a product they buy (what's up, apple?). Microsoft...
But I mean, are they wrong?
I'm not siding with Microsoft here, I don't think any manufacturer has the right to keep users from full control of a product they buy (what's up, apple?). Microsoft isn't lying here though. Allowing a 3rd party ring 0 access to a system means Microsoft absolutely cannot build any sort of stability guarantees into that system. All bets are off at that point, there's no sanity check Microsoft could build that could not be easily bypassed by the 3rd party.
That's true, but one thing they could do is provide a safer API for third parties to use instead, and maybe they would? And it seems that eBPF might be that better API. Apparently on Linux,...
That's true, but one thing they could do is provide a safer API for third parties to use instead, and maybe they would?
And it seems that eBPF might be that better API. Apparently on Linux, CrowdStrike used eBPF, and Microsoft has an eBPF implementation for Windows in development.
It's not a foolproof solution. CrowdStrike caused crashes on RedHat Linux because their eBPF implementation had bugs. But it would give the OS vendor some control.
I don't know if any of us is enough of an expert in operating systems / kernel programming here to evaluate their options - I'm certainly not, even with computer science degree - but I've heard...
I don't know if any of us is enough of an expert in operating systems / kernel programming here to evaluate their options - I'm certainly not, even with computer science degree - but I've heard they could have done it in such a way it wouldn't destroy security like this, by defining necessary minimum API to satisfy the regulations.
I'm not really knowledgeable enough to weigh in on whether they're wrong or not; I'd just be speculating based on the titles of Youtube videos by people smarter than me that I haven't even...
I'm not really knowledgeable enough to weigh in on whether they're wrong or not; I'd just be speculating based on the titles of Youtube videos by people smarter than me that I haven't even watched. I was just pointing out the circumstances that were causing the EU to be brought up, since that seemed to be causing confusion.
Thanks for the explanation! I was passingly familiar but not aware of the explicit agreement. But since the person I replied to seemed focused on the EU piece it seemed important to highlight that...
Thanks for the explanation! I was passingly familiar but not aware of the explicit agreement. But since the person I replied to seemed focused on the EU piece it seemed important to highlight that the EU agreement isn't the only or the first example of pressure on Microsoft to keep their kernal open.
Don't all software licenses basically come with a clause about that they are not liable for any damages caused by the product? I know you can't write whatever you want in such agreements as law...
Don't all software licenses basically come with a clause about that they are not liable for any damages caused by the product? I know you can't write whatever you want in such agreements as law still takes precedent, but would be interesting to see how this goes.
Contracts like that can waive claims of ordinary negligence, but they can't waive gross negligence, which constitutes a much more extreme and egregious departure from the standard of care. An...
Contracts like that can waive claims of ordinary negligence, but they can't waive gross negligence, which constitutes a much more extreme and egregious departure from the standard of care. An example used by attorney Leonard French in this video that goes into this in a bit more depth is that if you sign a waiver before playing paintball, that'll cover them for a lot of injuries sustained while playing paintball, but it wouldn't absolve them if you fell into a punjee pit while playing, because that's egregiously outside what's normal or acceptable in a place you're having people play paintball. He explains it better in the linked video, but the gist is that while there's a higher bar to prove gross negligence than ordinary negligence, it's definitely not outside the realm of possibility here (and after what we've heard about Crowdstrike's protocols around testing and release, I absolutely believe they'd at least have some very good arguments to make for gross negligence.)
Well, they can waive gross negligence. And depending on venue that may or may not work. But generally, it is more difficult to waive gross negligence. Some states require an attorney to be on...
Well, they can waive gross negligence. And depending on venue that may or may not work. But generally, it is more difficult to waive gross negligence. Some states require an attorney to be on record as counseling the party to successfully waive gross negligence. But I really don't know how that would shake out, other than lots of billable hours to the law firms in question.
No, they really can't. Trampoline parks have you sign all sorts of indemnification paperwork, but it's not worth squat if an injury occurs because a rusted-out trampoline falls apart in the normal...
No, they really can't. Trampoline parks have you sign all sorts of indemnification paperwork, but it's not worth squat if an injury occurs because a rusted-out trampoline falls apart in the normal course of use. Because part of the social contract of providing a service like that is that you actually take reasonable measures to provide usable equipment.
It's a pretty common theme that contracts that try to sign away rights have those clauses invalidated when push comes to shove. It's just that it requires parties to be on relatively equal footing for legal representation to get that far.
I don't believe that too be universally true. E.g., in Washington State the RCW allows individuals to waive certain rights if an attorney representing the individual signs that they have fully...
I don't believe that too be universally true. E.g., in Washington State the RCW allows individuals to waive certain rights if an attorney representing the individual signs that they have fully counseled the individual. In the case of negligence waivers, many states like California have statues renewing liability waivers unenforceable in the event of injuries due to gross negligence. But I don't know, and wouldn't assume, that that automatically applies to financial damages.
Even if that is the case, showing gross negligence is incredibly difficult.
So I think a lot will come down to venue and the relevant statutes and case law, and anticipated cost of litigation vs settlement.
I would also say that Delta will have a higher bar to clear than an individual hurt on a skydiving adventure. Other airlines recovered much more quickly, and the outage was ruled as within Delta's control by the DOT. Showing that but for crowdstrike's error, the financial damages would not have occurred could be difficult when many others experienced far less disruption.
But that's all speculation. I'll be curious to see how this unfolds, if at all.
Even if Delta ultimately doesn't win, I think there's more than enough case for gross negligence to at least survive a motion to dismiss. Plaintiffs will certainly have no problem finding expert...
Even if Delta ultimately doesn't win, I think there's more than enough case for gross negligence to at least survive a motion to dismiss. Plaintiffs will certainly have no problem finding expert testimony about just how egregiously bad and outside the norm for the industry CrowdStrike's release practices were, for instance, as basically anyone with even a passing knowledge of the tech industry is horrified by what information is already out there -- and god knows what we'll find if a case gets to discovery.
Ultimately it'll definitely come down to the specifics of whatever jurisdiction they file in, but CrowdStrike's waivers of liability in their contracts with customers certainly don't guarantee them protections from lawsuits over this incident.
I don't think I claimed they would be completely insulated by their contract. But let's be specific. Delta would have an enterprise agreement with a countersigned contract with crowdstrike. The...
I don't think I claimed they would be completely insulated by their contract.
But let's be specific. Delta would have an enterprise agreement with a countersigned contract with crowdstrike. The terms of the contract would almost certainly be governed by the uniform commercial code (UCC) which has been fully ratified in almost all US states, and mostly ratified in like, one or two. Contract law class was a long time ago, so I forget.
There are compelling arguments that the freedom to contract clause expressly allows parties to disclaim consequential damages in most situations not involving personal injury, where many states have superseding statutes.
So this is a rich area of law full of precedent, and many courts would be hesitant to dampen the freedom to contract. In this case, Delta is not some naive party.
Again, this is memory and speculation, and far outside my usual area of familiarity, which is the CFR.
As a fun aside I asked ChatGPT for some quick references. I haven't fact checked it, so caveat emptor. Ironically, I have to go review some contracts:
Sure, here are some relevant citations from the UCC and case law that illustrate how courts handle disclaimers for consequential damages:
UCC § 2-316:
This section addresses the exclusion or modification of warranties and requires that disclaimers of implied warranties be conspicuous and specifically mentioned.
Example: "To exclude or modify the implied warranty of merchantability or any part of it the language must mention merchantability and in case of a writing must be conspicuous..."
UCC § 2-719:
This section allows for the limitation or exclusion of remedies, including consequential damages, unless the limitation or exclusion is unconscionable.
Example: "Consequential damages may be limited or excluded unless the limitation or exclusion is unconscionable. Limitation of consequential damages for injury to the person in the case of consumer goods is prima facie unconscionable but limitation of damages where the loss is commercial is not."
Case Law:
Wille v. Southwestern Bell Tel. Co., 549 S.W.2d 903 (Tex. 1977):
The court upheld a disclaimer of consequential damages in a service contract, finding it valid because it was clear and conspicuous.
Riegel Power Corp. v. Voith Hydro, Inc., 888 F.2d 1043 (4th Cir. 1989):
The court held that a limitation of consequential damages in a commercial contract was enforceable as it was clearly stated and not unconscionable.
Chatlos Systems, Inc. v. National Cash Register Corp., 635 F.2d 1081 (3rd Cir. 1980):
The court found that the limitation of consequential damages was enforceable as it was part of a negotiated agreement between two commercial parties.
These citations illustrate that courts generally enforce disclaimers for consequential damages if they meet the requirements of being clear, conspicuous, and agreed upon by the parties, and are not unconscionable.
My initial comment that you originally responded to did think they might be completely insulated by their contract, so I brought that up principally to make clear why I focused on the possibility...
My initial comment that you originally responded to did think they might be completely insulated by their contract, so I brought that up principally to make clear why I focused on the possibility that they are not insulated by their contract. I'm definitely not arguing the opposite, that it's impossible to disclaim commercial damages in a contract like this, which is what it seems that the ChatGPT citations are principally addressing.
I'm not a lawyer and never got farther than taking the LSAT once, so I'm relying on what I'm hearing lawyers I follow on social media say. My understanding is that there's definitely some line past which a party's behavior is so egregious that they can't disclaim liability (if only because doing so would be unconscionable on its face) but that the main issue with any case against CrowdStrike would be where that line falls in the jurisdiction they're being sued in and whether their behavior crosses it. I'd be curious to hear your take on the Leonard French video I linked in my earlier comment, since he goes into it from an actual lawyer's perspective and may address specifics in ways that make things clearer than my paraphrase as a layperson on Tildes.
I don't know that I follow, but that's what happens when you have comment chains with multiple people chiming in. 🙂 I think the main point of confusion is the mixing of areas of law. I haven't...
I don't know that I follow, but that's what happens when you have comment chains with multiple people chiming in. 🙂
I think the main point of confusion is the mixing of areas of law. I haven't watched the video, but the example of waiving liability for gross negligence when personal injury occurs is likely correct. You generally can't limit liability from injuries caused by gross negligence or wilful misconduct.
But that doesn't appear relevant here. There hasn't been personal injury, this isn't a consumer contract, and the details would really hinge on venue and the content and structure of their contract, which we don't have access to.
Without seeing their contract I can't even really begin to have an informed, but not expert, opinion.
I suspect Delta will have an uphill battle to recover any real damages. I would be shocked if the contract didn't prominently disclaim liability for costs incurred due to malfunction of the service, and limited to the face value of the contract.
But who knows. 🤷♂️
Personally, I would be leery of any YouTube videos that speculate and conclude anything more specific, because until we actually know the venue, see the filling, know the judge, etc, there are too many unknowns.
Edit: I had a moment and found this interesting read on the topic. I'm not familiar with many of the technical arguments, but my takeaway is that there are four main lines of argument Delta could make, but there is a high bar to clear, unless they get lucky with a judge that is confused between exculpatory and liability statutes.
It's not relevant (maybe?) to Delta's case, but it is virtually certain that human injuries and deaths can be traced directly to the Crowdstrike incident by way of EMR outages. (I do not know how...
There hasn't been personal injury
It's not relevant (maybe?) to Delta's case, but it is virtually certain that human injuries and deaths can be traced directly to the Crowdstrike incident by way of EMR outages.
(I do not know how this plays out in terms of liability. Could injured patients or their families sue Crowdstrike for negligence? There's no contract whatsoever in place in that context…)
edit: I definitely should have clarified: "EMR" is "Electronic Medical Record", and they handle basically everything about modern hospital operations; not just recording notes and test results, but serving as a source of truth and communication channel for orders. Any hospital will have fallback procedures if their EMR is unavailable, but they are as a rule very inadequate, especially if used emergently for an extended period.
My hot take would be this: the covered entity would be liable for disruptions to their medical practice due to this outage, but might have stronger claims for damages against crowdstrike for their...
My hot take would be this: the covered entity would be liable for disruptions to their medical practice due to this outage, but might have stronger claims for damages against crowdstrike for their role, especially if the agreement between the covered and crowdstrike made explicit the criticality of the systems in the delivery of care. But it's so hard to say, because the law is very technical in regards to torts and contracts. It really requires deep expertise with knowledge of the applicable statutes and case law to say.
I'm fairly familiar with health policy and law, and I can't think of another example where a service provider to a covered entity has a disruption in service and was sued by the patients. Outside of things like faulty medical devices, which is different.
Edit: think about this hypothetical example is interesting. If the power goes out for a hospital, is the utility company liable for injuries to patients as a result of the outage, even in the case of negligence? I would think not, hence why hospitals have generators, and one facet of HIPAA compliance is redundancy for continuity of care. But the hospital might be liable depending on if they took reasonable steps to mitigate harm factoring such an eventuality. But that's the sort of legal scenario that could keep lawyers busy through years of litigation to figure out based on the context.
The health regulation ecosystem is frankly a fragmented mess. Medical devices are governed primarily by FDA regulations, while EMR's are really only governed by HIPAA and HITECH, sort of. There's...
The health regulation ecosystem is frankly a fragmented mess. Medical devices are governed primarily by FDA regulations, while EMR's are really only governed by HIPAA and HITECH, sort of.
There's a bunch of other regulations that can get tacked into an EMRs implementation to facilitate compliance with clinical trials, eIRB integrations, streamlining DSA's, etc, where those things are relevant. Depending on who is operating the EMR and what it is doing, it could have to deal with regulations from HHS, FDA, DHA, etc But I suspect the strongest regulations in terms of resiliency and reliability come from HIPAA and case law establishing liability for providers who don't properly patient records.
Yeah. Not my area of law. However when it comes to harm caused by Crowdstrike, 911 systems went down and I would be very surprised if it didn't kill some people. I know I read that healthcare...
Yeah. Not my area of law.
However when it comes to harm caused by Crowdstrike, 911 systems went down and I would be very surprised if it didn't kill some people.
I know I read that healthcare workers said that people died because hospital computers were down, but as you said, part of that liability should be on the hospital for not having alternative systems ready to implement.
It's going to be interesting to see what other suits come out of this
In their (very bad) report about what went wrong they revealed that they only ran automated tests and apparently do no testing locally before rolling out this kind of update. That plus the fact...
In their (very bad) report about what went wrong they revealed that they only ran automated tests and apparently do no testing locally before rolling out this kind of update. That plus the fact that they rolled the bad update out to 100% of machines (and the fact that the bad file was all zeroes, so it was not a subtle bug to catch) means their procedure was wildly far from normal practices in tech for even software that doesn't have kernel access.
Wow that's....punji pit level negligence isn't it? They're in security and what can go wrong when things go wrong: folks going for paintball would have reasonably relied on the facilities to A, do...
Wow that's....punji pit level negligence isn't it? They're in security and what can go wrong when things go wrong: folks going for paintball would have reasonably relied on the facilities to
A, do more than automated testing
B, put it on a small network of machines first
And
C, staggered roll out
At the very least, like you said for software that doesn't have kernel access
yeah, the sheer number of basic best practices they didn't have in place is jaw-dropping and is definitely a big part of why they have a case no matter what they have in their terms of service....
yeah, the sheer number of basic best practices they didn't have in place is jaw-dropping and is definitely a big part of why they have a case no matter what they have in their terms of service. It's not a guaranteed win ofc but it's a very strong case from my layman's perspective.
In their statement the day after the incident, Crowdstrike has confirmed that the error was due to "faulty content" in Channel File 291 (deleting this file after booting in safe mode is how one...
In their statement the day after the incident, Crowdstrike has confirmed that the error was due to "faulty content" in Channel File 291 (deleting this file after booting in safe mode is how one resolves the resulting BSOD issue). Crowdstrike's official statement on the technical details. They do say that "This is not related to null bytes contained within Channel File 291 or any other Channel File," but afaik the reason there was speculation was because the all-null channel file did exist even if it wasn't the ultimate cause of the BSOD. Crowdstrike have been very tight-lipped about the details when it comes to the specifics of the actual bug beyond "logic error" unfortunately. They did put out a blog post that seems to indicate that the all-null channel file may have been an artifact of the crash rather than a cause of it... how much credence you give their blog posts about this incident is of course its own matter. I wasn't actually completely up to date on this, though, so thanks for the impetus to check.
EULA are weird. From my point of view as a non-lawyer, they occupy a weird in between space where they are both enforceable and unenforceable. They all basically say the same thing, which is that...
EULA are weird. From my point of view as a non-lawyer, they occupy a weird in between space where they are both enforceable and unenforceable. They all basically say the same thing, which is that the company isn't responsible for anything unless a law says otherwise. Which laws? Who knows.
You and I don't have anywhere close to the legal and monetary resources to challenge any corporation's EULA in court and win. Delta though? They certainly do. At the absolute minimum they can settle with Crowdstrike out of court for a lesser amount, and Crowdstrike would happily pay them just to avoid the legal fees and the extended publicly of a court battle.
But then thousands of other companies will also seek compensation, which will likely just result in Crowdstrike going bankrupt. Not sure they will be so eager to settle.
But then thousands of other companies will also seek compensation, which will likely just result in Crowdstrike going bankrupt. Not sure they will be so eager to settle.
They will settle if they think they will lose in court. And yes, Crowdstrike going bankrupt is a very possible end result. Fortune 500 companies don't sit back and accept losses unless they are...
They will settle if they think they will lose in court. And yes, Crowdstrike going bankrupt is a very possible end result.
Fortune 500 companies don't sit back and accept losses unless they are unavoidable
The way I understand it, Crowdstrike is significantly better endpoint protection than the native Microsoft solutions. Them going bankrupt could be a boon for the malware industry if it disrupts...
The way I understand it, Crowdstrike is significantly better endpoint protection than the native Microsoft solutions. Them going bankrupt could be a boon for the malware industry if it disrupts their development unit too much in the reorg.
I assume somebody will buy out all of the Crowdstrike assets and the company will carry on with a different owner/name. I'd be surprised if Microsoft didn't buy them and integrate it into Windows...
I assume somebody will buy out all of the Crowdstrike assets and the company will carry on with a different owner/name.
I'd be surprised if Microsoft didn't buy them and integrate it into Windows Defender (gated behind an ultrapremium support contract of course).
That's the fortune 500 company's fault for not doing due diligance. My employer won't purchase any software from someone without a $10 million dollar insurance policy if their software is the...
That's the fortune 500 company's fault for not doing due diligance.
My employer won't purchase any software from someone without a $10 million dollar insurance policy if their software is the cause of a data leak.
I'll be curious to see what actually gets filed. I could see a reasonable claim against crowdstrike, but going after Microsoft seems an uphill battle given the antitrust scrutiny that pushed Microsoft to open up (keep open) kernal access to security software.
A similar situation I remember was when Aruba pushed an update intentionally bypassing their own internal QA process and completely bricked campus network WAN for a large number of orgs for months before they fully resolved it. That was settled out of court but I remember meeting with the CEO on the apology tour. Satisfying the necessary legal hurdles to show sufficient negligence will, I think, be the hardest part. If they can show that, the damages seem easy to prove.
Yeah. As i've said I think there's 100% a case, but throwing MS in the pile just reeks of some CEO out for blood not listening to their lawyers or tech resources.
tbf the actual statement in the article is very cautioned
Didn't even say that they will sue anyone, just "look into". Which means practically nothing. And that's the only line about the subject in the entire article.
The headline is about as long as the content it references.
"You miss 100% of the shots you don't take"
That is a weak defense of Microsoft manufactured by their PR department (fully blaming the EU); don't repeat it.
What does the EU have to do with this? I never mentioned the EU. Microsoft announced years ago plans to close access to the kernal, possibly in Windows XP or Vista, I don't recall, and legal threats from security companies and US antitrust scrutiny caused them to change course.
Microsoft was explicitly forbidden from closing access to the kernel by EU antitrust authorities, and they've explicitly blamed this antitrust action in statements following up the CrowdStrike incident.
But I mean, are they wrong?
I'm not siding with Microsoft here, I don't think any manufacturer has the right to keep users from full control of a product they buy (what's up, apple?). Microsoft isn't lying here though. Allowing a 3rd party ring 0 access to a system means Microsoft absolutely cannot build any sort of stability guarantees into that system. All bets are off at that point, there's no sanity check Microsoft could build that could not be easily bypassed by the 3rd party.
That's true, but one thing they could do is provide a safer API for third parties to use instead, and maybe they would?
And it seems that eBPF might be that better API. Apparently on Linux, CrowdStrike used eBPF, and Microsoft has an eBPF implementation for Windows in development.
It's not a foolproof solution. CrowdStrike caused crashes on RedHat Linux because their eBPF implementation had bugs. But it would give the OS vendor some control.
I don't know if any of us is enough of an expert in operating systems / kernel programming here to evaluate their options - I'm certainly not, even with computer science degree - but I've heard they could have done it in such a way it wouldn't destroy security like this, by defining necessary minimum API to satisfy the regulations.
I'm not really knowledgeable enough to weigh in on whether they're wrong or not; I'd just be speculating based on the titles of Youtube videos by people smarter than me that I haven't even watched. I was just pointing out the circumstances that were causing the EU to be brought up, since that seemed to be causing confusion.
Thanks for the explanation! I was passingly familiar but not aware of the explicit agreement. But since the person I replied to seemed focused on the EU piece it seemed important to highlight that the EU agreement isn't the only or the first example of pressure on Microsoft to keep their kernal open.
Fair enough! And I didn't know there was more than one body pushing regulations on them besides the EU.
Don't all software licenses basically come with a clause about that they are not liable for any damages caused by the product? I know you can't write whatever you want in such agreements as law still takes precedent, but would be interesting to see how this goes.
Contracts like that can waive claims of ordinary negligence, but they can't waive gross negligence, which constitutes a much more extreme and egregious departure from the standard of care. An example used by attorney Leonard French in this video that goes into this in a bit more depth is that if you sign a waiver before playing paintball, that'll cover them for a lot of injuries sustained while playing paintball, but it wouldn't absolve them if you fell into a punjee pit while playing, because that's egregiously outside what's normal or acceptable in a place you're having people play paintball. He explains it better in the linked video, but the gist is that while there's a higher bar to prove gross negligence than ordinary negligence, it's definitely not outside the realm of possibility here (and after what we've heard about Crowdstrike's protocols around testing and release, I absolutely believe they'd at least have some very good arguments to make for gross negligence.)
Well, they can waive gross negligence. And depending on venue that may or may not work. But generally, it is more difficult to waive gross negligence. Some states require an attorney to be on record as counseling the party to successfully waive gross negligence. But I really don't know how that would shake out, other than lots of billable hours to the law firms in question.
No, they really can't. Trampoline parks have you sign all sorts of indemnification paperwork, but it's not worth squat if an injury occurs because a rusted-out trampoline falls apart in the normal course of use. Because part of the social contract of providing a service like that is that you actually take reasonable measures to provide usable equipment.
It's a pretty common theme that contracts that try to sign away rights have those clauses invalidated when push comes to shove. It's just that it requires parties to be on relatively equal footing for legal representation to get that far.
I don't believe that too be universally true. E.g., in Washington State the RCW allows individuals to waive certain rights if an attorney representing the individual signs that they have fully counseled the individual. In the case of negligence waivers, many states like California have statues renewing liability waivers unenforceable in the event of injuries due to gross negligence. But I don't know, and wouldn't assume, that that automatically applies to financial damages.
Even if that is the case, showing gross negligence is incredibly difficult.
So I think a lot will come down to venue and the relevant statutes and case law, and anticipated cost of litigation vs settlement.
I would also say that Delta will have a higher bar to clear than an individual hurt on a skydiving adventure. Other airlines recovered much more quickly, and the outage was ruled as within Delta's control by the DOT. Showing that but for crowdstrike's error, the financial damages would not have occurred could be difficult when many others experienced far less disruption.
But that's all speculation. I'll be curious to see how this unfolds, if at all.
Even if Delta ultimately doesn't win, I think there's more than enough case for gross negligence to at least survive a motion to dismiss. Plaintiffs will certainly have no problem finding expert testimony about just how egregiously bad and outside the norm for the industry CrowdStrike's release practices were, for instance, as basically anyone with even a passing knowledge of the tech industry is horrified by what information is already out there -- and god knows what we'll find if a case gets to discovery.
Ultimately it'll definitely come down to the specifics of whatever jurisdiction they file in, but CrowdStrike's waivers of liability in their contracts with customers certainly don't guarantee them protections from lawsuits over this incident.
I don't think I claimed they would be completely insulated by their contract.
But let's be specific. Delta would have an enterprise agreement with a countersigned contract with crowdstrike. The terms of the contract would almost certainly be governed by the uniform commercial code (UCC) which has been fully ratified in almost all US states, and mostly ratified in like, one or two. Contract law class was a long time ago, so I forget.
There are compelling arguments that the freedom to contract clause expressly allows parties to disclaim consequential damages in most situations not involving personal injury, where many states have superseding statutes.
So this is a rich area of law full of precedent, and many courts would be hesitant to dampen the freedom to contract. In this case, Delta is not some naive party.
Again, this is memory and speculation, and far outside my usual area of familiarity, which is the CFR.
As a fun aside I asked ChatGPT for some quick references. I haven't fact checked it, so caveat emptor. Ironically, I have to go review some contracts:
Sure, here are some relevant citations from the UCC and case law that illustrate how courts handle disclaimers for consequential damages:
These citations illustrate that courts generally enforce disclaimers for consequential damages if they meet the requirements of being clear, conspicuous, and agreed upon by the parties, and are not unconscionable.
My initial comment that you originally responded to did think they might be completely insulated by their contract, so I brought that up principally to make clear why I focused on the possibility that they are not insulated by their contract. I'm definitely not arguing the opposite, that it's impossible to disclaim commercial damages in a contract like this, which is what it seems that the ChatGPT citations are principally addressing.
I'm not a lawyer and never got farther than taking the LSAT once, so I'm relying on what I'm hearing lawyers I follow on social media say. My understanding is that there's definitely some line past which a party's behavior is so egregious that they can't disclaim liability (if only because doing so would be unconscionable on its face) but that the main issue with any case against CrowdStrike would be where that line falls in the jurisdiction they're being sued in and whether their behavior crosses it. I'd be curious to hear your take on the Leonard French video I linked in my earlier comment, since he goes into it from an actual lawyer's perspective and may address specifics in ways that make things clearer than my paraphrase as a layperson on Tildes.
I don't know that I follow, but that's what happens when you have comment chains with multiple people chiming in. 🙂
I think the main point of confusion is the mixing of areas of law. I haven't watched the video, but the example of waiving liability for gross negligence when personal injury occurs is likely correct. You generally can't limit liability from injuries caused by gross negligence or wilful misconduct.
But that doesn't appear relevant here. There hasn't been personal injury, this isn't a consumer contract, and the details would really hinge on venue and the content and structure of their contract, which we don't have access to.
Without seeing their contract I can't even really begin to have an informed, but not expert, opinion.
I suspect Delta will have an uphill battle to recover any real damages. I would be shocked if the contract didn't prominently disclaim liability for costs incurred due to malfunction of the service, and limited to the face value of the contract.
But who knows. 🤷♂️
Personally, I would be leery of any YouTube videos that speculate and conclude anything more specific, because until we actually know the venue, see the filling, know the judge, etc, there are too many unknowns.
Edit: I had a moment and found this interesting read on the topic. I'm not familiar with many of the technical arguments, but my takeaway is that there are four main lines of argument Delta could make, but there is a high bar to clear, unless they get lucky with a judge that is confused between exculpatory and liability statutes.
It's not relevant (maybe?) to Delta's case, but it is virtually certain that human injuries and deaths can be traced directly to the Crowdstrike incident by way of EMR outages.
(I do not know how this plays out in terms of liability. Could injured patients or their families sue Crowdstrike for negligence? There's no contract whatsoever in place in that context…)
edit: I definitely should have clarified: "EMR" is "Electronic Medical Record", and they handle basically everything about modern hospital operations; not just recording notes and test results, but serving as a source of truth and communication channel for orders. Any hospital will have fallback procedures if their EMR is unavailable, but they are as a rule very inadequate, especially if used emergently for an extended period.
My hot take would be this: the covered entity would be liable for disruptions to their medical practice due to this outage, but might have stronger claims for damages against crowdstrike for their role, especially if the agreement between the covered and crowdstrike made explicit the criticality of the systems in the delivery of care. But it's so hard to say, because the law is very technical in regards to torts and contracts. It really requires deep expertise with knowledge of the applicable statutes and case law to say.
I'm fairly familiar with health policy and law, and I can't think of another example where a service provider to a covered entity has a disruption in service and was sued by the patients. Outside of things like faulty medical devices, which is different.
Edit: think about this hypothetical example is interesting. If the power goes out for a hospital, is the utility company liable for injuries to patients as a result of the outage, even in the case of negligence? I would think not, hence why hospitals have generators, and one facet of HIPAA compliance is redundancy for continuity of care. But the hospital might be liable depending on if they took reasonable steps to mitigate harm factoring such an eventuality. But that's the sort of legal scenario that could keep lawyers busy through years of litigation to figure out based on the context.
I have seen discussion and advocacy about holding emrs to the liability standard of medical device. But I have no idea
The health regulation ecosystem is frankly a fragmented mess. Medical devices are governed primarily by FDA regulations, while EMR's are really only governed by HIPAA and HITECH, sort of.
There's a bunch of other regulations that can get tacked into an EMRs implementation to facilitate compliance with clinical trials, eIRB integrations, streamlining DSA's, etc, where those things are relevant. Depending on who is operating the EMR and what it is doing, it could have to deal with regulations from HHS, FDA, DHA, etc But I suspect the strongest regulations in terms of resiliency and reliability come from HIPAA and case law establishing liability for providers who don't properly patient records.
Yeah. Not my area of law.
However when it comes to harm caused by Crowdstrike, 911 systems went down and I would be very surprised if it didn't kill some people.
I know I read that healthcare workers said that people died because hospital computers were down, but as you said, part of that liability should be on the hospital for not having alternative systems ready to implement.
It's going to be interesting to see what other suits come out of this
It's going to be interesting to watch. I'm really curious to see if anyone gets consequential damages.
What have you heard? I haven’t read anything new about it since Crowdstrike released their preliminary report.
In their (very bad) report about what went wrong they revealed that they only ran automated tests and apparently do no testing locally before rolling out this kind of update. That plus the fact that they rolled the bad update out to 100% of machines (and the fact that the bad file was all zeroes, so it was not a subtle bug to catch) means their procedure was wildly far from normal practices in tech for even software that doesn't have kernel access.
Wow that's....punji pit level negligence isn't it? They're in security and what can go wrong when things go wrong: folks going for paintball would have reasonably relied on the facilities to
A, do more than automated testing
B, put it on a small network of machines first
And
C, staggered roll out
At the very least, like you said for software that doesn't have kernel access
yeah, the sheer number of basic best practices they didn't have in place is jaw-dropping and is definitely a big part of why they have a case no matter what they have in their terms of service. It's not a guaranteed win ofc but it's a very strong case from my layman's perspective.
I’m not sure about the all-zeroes thing. It seems to be a rumor going around, but possibly due to confusion?
In their statement the day after the incident, Crowdstrike has confirmed that the error was due to "faulty content" in Channel File 291 (deleting this file after booting in safe mode is how one resolves the resulting BSOD issue). Crowdstrike's official statement on the technical details. They do say that "This is not related to null bytes contained within Channel File 291 or any other Channel File," but afaik the reason there was speculation was because the all-null channel file did exist even if it wasn't the ultimate cause of the BSOD. Crowdstrike have been very tight-lipped about the details when it comes to the specifics of the actual bug beyond "logic error" unfortunately. They did put out a blog post that seems to indicate that the all-null channel file may have been an artifact of the crash rather than a cause of it... how much credence you give their blog posts about this incident is of course its own matter. I wasn't actually completely up to date on this, though, so thanks for the impetus to check.
EULA are weird. From my point of view as a non-lawyer, they occupy a weird in between space where they are both enforceable and unenforceable. They all basically say the same thing, which is that the company isn't responsible for anything unless a law says otherwise. Which laws? Who knows.
You and I don't have anywhere close to the legal and monetary resources to challenge any corporation's EULA in court and win. Delta though? They certainly do. At the absolute minimum they can settle with Crowdstrike out of court for a lesser amount, and Crowdstrike would happily pay them just to avoid the legal fees and the extended publicly of a court battle.
But then thousands of other companies will also seek compensation, which will likely just result in Crowdstrike going bankrupt. Not sure they will be so eager to settle.
They will settle if they think they will lose in court. And yes, Crowdstrike going bankrupt is a very possible end result.
Fortune 500 companies don't sit back and accept losses unless they are unavoidable
The way I understand it, Crowdstrike is significantly better endpoint protection than the native Microsoft solutions. Them going bankrupt could be a boon for the malware industry if it disrupts their development unit too much in the reorg.
I assume somebody will buy out all of the Crowdstrike assets and the company will carry on with a different owner/name.
I'd be surprised if Microsoft didn't buy them and integrate it into Windows Defender (gated behind an ultrapremium support contract of course).
My hope is that these fortune 500 would get together and back legislation for basic testing procedures after this disaster
That's the fortune 500 company's fault for not doing due diligance.
My employer won't purchase any software from someone without a $10 million dollar insurance policy if their software is the cause of a data leak.
Mirror: https://archive.is/zvmYZ